8 days left to get a GIAC Cert Attempt or $350 Off with OnDemand and vLive Training

Newsletters: Newsbites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XX - Issue #40

May 22, 2018

****************************************************************************

SANS NewsBites               May 22, 2018                Vol. 20, Num. 040

****************************************************************************


TOP OF THE NEWS


 

FCC Investigating LocationSmart

 

Securus Hacked

 

More Meltdown and Spectre Issues


REST OF THE WEEKS NEWS

 

Wicked Mirai Botnet Variant Exploit IoT Vulnerabilities

 

RedDawn Malware Campaign Spies on North Korean Defectors

 

ISC Issues Advisories for Two BIND Vulnerabilities

 

WinstarNssmMiner Cryptomining Malware

 

Federal Vehicle Telematics Cybersecurity

 

Google Expands Availability of Project Shield to Include Elections and Political Campaigns


INTERNET STORM CENTER TECH CORNER

 

***************************  Sponsored By Indegy  ***************************


You are now exposed to consistent and confusing noise regarding various ICS security approaches. You must take action, but what is the right action to take? Don't Miss "Passive, Active or Hybrid Monitoring: Whats the right choice for your ICS Network?" to help unravel the confusion. Register: http://www.sans.org/info/204070


*****************************************************************************


-- SANSFIRE 2018 | Washington, DC | July 14-21 | https://www.sans.org/event/sansfire-2018


-- SANS Rocky Mountain 2018 | Denver, CO | June 4-9 | https://www.sans.org/event/rocky-mountain-2018


-- SANS London June 2018 | June 4-12 | https://www.sans.org/event/london-june-2018


-- DFIR Summit & Training 2018 | Austin, TX | June 7-14 | https://www.sans.org/event/digital-forensics-summit-2018


-- Cloud In-Security Summit - DC | Crystal City, VA | June 8 | https://www.sans.org/event/cloud-insecurity-summit-dc


-- Cloud In-Security Summit - Austin | Austin, TX | June 11 | https://www.sans.org/event/cloud-insecurity-summit-tx


-- SANS Boston Summer 2018 | August 6-11 | https://www.sans.org/event/boston-summer-2018


-- SANS Cyber Defence Canberra 2018 | June 25-July 7 | https://www.sans.org/event/cyber-defence-canberra-2018


-- SANS London July 2018 | July 2-7 | https://www.sans.org/event/london-july-2018


-- SANS Tokyo Autumn 2018 | September 3-15 | https://www.sans.org/event/tokyo-autumn-2018


-- SANS OnDemand and vLive Training

The SANS Training you want with the flexibility you need.

Special Offer: Get a GIAC Certification Attempt Included or Take $350 Off with SANS Online Training until May 30.

https://www.sans.org/online-security-training/specials/


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/


Single Course Training

-- Single Course Training

SANS Mentor |  https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/

 

-- View the full SANS course catalog and Cyber Security Skills Roadmap

https://www.sans.org/courses

https://www.sans.org/cyber-security-skills-roadmap


*****************************************************************************


TOP OF THE NEWS


--

FCC Investigating LocationSmart

(May 17, 18, & 19, 2018)

The US Federal Communications Commission (FCC) is reportedly beginning an investigation into LocationSmart, a company that identifies the locations of mobile phones connected to major carriers services. LocationSmart allegedly sold mobile device location information to Securus. LocationSmarts website was also found to be leaking mobile device location information without the need for authentication. 


Read more in:

Ars Technica: FCC investigates site that let most US mobile phones location be exposed

https://arstechnica.com/tech-policy/2018/05/fcc-investigates-site-that-let-most-us-mobile-phones-location-be-exposed/

The Register: LocationDumb: Phone tracker foul-up exposes world+dog to tracking

http://www.theregister.co.uk/2018/05/18/phone_tracker_foulup/

KrebsOnSecurity: Tracking Firm LocationSmart Leaked Location Data for Customers of All Major U.S. Mobile Carriers Without Consent in Real Time Via Its Web Site

https://krebsonsecurity.com/2018/05/tracking-firm-locationsmart-leaked-location-data-for-customers-of-all-major-u-s-mobile-carriers-in-real-time-via-its-web-site/

 

--

Securus Hacked

(May 16 & 18, 2018)

Securus, the company that was recently revealed to be providing cell phone location data to law enforcement, was the target of a data breach last week. The intruder stole a database that includes some passwords for some of Securuss law enforcement customers. Securus acquires phone location data from service providers. The information is usually sold to marketing companies, but it was recently found that Securus offers a service for law enforcement agencies as well. Last week, US Senator Ron Wyden (D-Oregon) asked the Federal Communications Commission (FCC) to investigate wireless carriers that allow law enforcement unrestricted access to customer location data.


Read more in:

SC Magazine: Securus hacked after reports cops used it for tracking location

https://www.scmagazine.com/securus-hacked-after-reports-cops-used-it-for-tracking-location/article/767125/

Motherboard: Hacker Breaches Securus, the Company That Helps Cops Track Phones Across the US

https://motherboard.vice.com/en_us/article/gykgv9/securus-phone-tracking-company-hacked

 

--

More Meltdown and Spectre Issues

(May 21 & 22, 2018)

Additional variants of the Meltdown/Spectre processor flaws have been detected. Dubbed Variants 3A and 4, the newly detected issues are a rogue system register read and a speculative store bypass. Intel and other companies are releasing microcode updates to address the problem.  


[Editor Comments]

[Neely] Regression testing is key in this space. As more Meltdown/Spectre fixes are released, make sure to fully test them before deploying to the enterprise as the impact of the fix is tied to the specific work mix of the systems were the fixes are being deployed.


Cyberscoop: Tech giants reveal new variant of Meltdown and Spectre vulns

https://www.cyberscoop.com/variant-4-spectre-meltdown-intel-microsoft/?category_news=technology

ZDNet: Spectre chip security vulnerability strikes again; patches incoming

https://www.zdnet.com/article/spectre-chip-security-vulnerability-strikes-again-patches-incoming/

CNET: Intel discloses new variant on Spectre, Meltdown security flaws

https://www.cnet.com/news/intel-discloses-new-variant-on-spectre-meltdown-security-flaws/

The Register: Microsoft, Google: We've found a fourth variant of Meltdown-Spectre CPU holes

http://www.theregister.co.uk/2018/05/21/spectre_meltdown_v4_microsoft_google/

US-CERT: Side-Channel Vulnerability Variants 3a and 4

https://www.us-cert.gov/ncas/alerts/TA18-141A


**************************  SPONSORED LINKS  ********************************


1) How are you dealing with the rapid evolution of Secure DevOps? Take the SANS 2018 Secure DevOps Survey and enter to win a $400 Amazon gift card! http://www.sans.org/info/204075


2) "Defending Against the Rising Tide of Industrial CyberThreats: An OT CyberSecurity Case Study" Register: http://www.sans.org/info/204080


3) "Reclaim Your Freedom to Safely Access the Web" with John Pescatore. Learn More: http://www.sans.org/info/204085


*****************************************************************************


THE REST OF THE WEEKS NEWS

 

--

Wicked Mirai Botnet Variant Exploit IoT Vulnerabilities

(May 18 & 21, 2018)

Wicked, a new variant of the Mirai botnet, incorporates exploits for at least three unpatched IoT (Internet of Things) vulnerabilities, expanding the base of devices it has the power to infect. The original Mirai used brute force attacks to take control of vulnerable devices.


Read more in:

Threatpost: Wicked Botnet Uses Passel of Exploits To Target IoT

https://threatpost.com/wicked-botnet-uses-passel-of-exploits-to-target-iot/132125/

ZDNet: Mirai botnet adds three new attacks to target IoT devices

https://www.zdnet.com/article/mirai-botnet-adds-three-new-attacks-to-target-iot-devices/

 

--

RedDawn Malware Campaign Spies on North Korean Defectors

(May 21, 2018)

Some Android Apps found in the Google Play store appear to contain malware aimed at infecting mobile devices belonging to North Korean defectors, people who help them, and associated journalists. The campaign, which has been named RedDawn, is believed to be the work of a group known as Sun Team. 


Read more in:

Dark Reading: North Korean Defectors Targeted with Malicious Apps on Google Play

https://www.darkreading.com/threat-intelligence/north-korean-defectors-targeted-with-malicious-apps-on-google-play/d/d-id/1331856

ZDNet: North Korean defectors, journalists targeted through Google Play

https://www.zdnet.com/article/north-korean-defectors-targeted-through-google-play/

 

--

ISC Issues Advisories for Two BIND Vulnerabilities

(May 18 & 21, 2018)

The Internet Systems Consortium (ISC) has released two advisories detailing vulnerabilities in BIND. Both vulnerabilities could be exploited to cause denial-of-service for domain name resolution. The flaws affect BIND versions 9.12.0 and 9.12.1. Users should upgrade to BIND 9.12.1-P2.


Read more in:

ISC.org: CVE-2018-5736: Multiple transfers of a zone in quick succession can cause an assertion failure in rbtdb.c

https://kb.isc.org/article/AA-01602/0

ISC.org: CVE-2018-5737: BIND 9.12's serve-stale implementation can cause an assertion failure in rbtdb.c or other undesirable behavior, even if serve-stale is not enabled.

https://kb.isc.org/article/AA-01606/0

Dark Reading: New BIND Vulnerabilities Threaten DNS Availability

https://www.darkreading.com/threat-intelligence/new-bind-vulnerabilities-threaten-dns-availability/d/d-id/1331855

 

--

WinstarNssmMiner Cryptomining Malware

(May 17 & 18, 2018)

Cryptocurrency mining malware called WinstarNssmMiner has attempted to infect half a million computers in just three days. WinstarNssmMiner targets Windows machines and is capable of shutting down certain antivirus processes. In addition, if a user tries to shut down XMRig, the mining utility that WinstarNssmMiner uses, the malware crashes the users computer. 


Read more in:

360 Total Security: CryptoMiner, WinstarNssmMiner, Has Made a Fortune By Brutally Hijacking Computers

https://blog.360totalsecurity.com/en/cryptominer-winstarnssmminer-made-fortune-brutally-hijacking-computer/

Bleeping Computer: WinstarNssmMiner Coinminer Campaign Makes 500,000 Victims in Three Days

https://www.bleepingcomputer.com/news/security/winstarnssmminer-coinminer-campaign-makes-500-000-victims-in-three-days/

SC Magazine: Attempts to terminate new WinstarNssmMiner cryptominer result in computer crash

https://www.scmagazine.com/attempts-to-terminate-new-winstarnssmminer-cryptominer-result-in-computer-crash/article/767108/

 

--

Federal Vehicle Telematics Cybersecurity

(May 15 & 18, 2018)

A March 2015 Executive Order requires that all US federal government vehicle fleet managers gather operational data, including fuel consumption, maintenance, and vehicle location. Because the data are collected and transmitted using telematics, the process raises cybersecurity concerns. The Department of Homeland Security (DHS) and Department of Transportation (DoT) have together developed a Telematics Cybersecurity Primer for Agencies. The guidelines cover protecting communications to and from the devices; protecting device firmware; protecting actions on the device through the least privilege principle; and protecting device integrity.  


[Editor Comments]


[Pescatore] Glad to see DoT/DHS cooperation on an important topic but I couldnt find a copy to review. There have been a number of NIST and other agency reports on the same topic since 2014. What is needed is the US government to use it buying power to require all vehicle purchases to require basic security hygiene be demonstrated by all vendors.


Read more in:

DHS: Snapshot: DHS, DOT Partner on Government Vehicle Telematics Cybersecurity Primer

https://www.dhs.gov/science-and-technology/news/2018/05/15/snapshot-dhs-dot-partner-government-vehicle-telematics

SC Magazine: DHS, DoT team up to secure federal vehicle fleets

https://www.scmagazine.com/dhs-and-dot-team-up-to-secure-federal-vehicle-fleets/article/767092/

 

--

Google Expands Availability of Project Shield to Include Elections and Political Campaigns

(May 16, 2018)

Google has expanded the availability of Project Shield, the companys free protection from Distributed denial-of-service (DoS) attacks to include political campaigns, candidates, and political action committees. Previously, Project Shield was available to journalists, human rights advocates, human rights groups, and election monitors. Project Shield uses a reverse proxy to help make sure that customers website servers receive only legitimate traffic.


[Editor Comments]

[Pescatore] Interesting market place dynamics going on here. ISPs get paid by the bandwidth consumedeven though they are most logical place to stop brute force type DDoS (and spam and phishing for that matter), ISPs have only provided, at best, reactive support. Google makes money on ad views, fewer web sites down due to denial of service attacks means more ads to view.


Read more in:

Google: Project Shield Help

https://support.google.com/projectshield/answer/6358588

CNET: Google rolls out free cyberattack shield for elections and campaigns

https://www.cnet.com/news/google-rolls-out-free-project-shield-cyberattack-protection-for-elections-and-campaigns/


 

INTERNET STORM CENTER TECH CORNER


Redis Cryptocoin Mining Worm

https://isc.sans.edu/forums/diary/Anatomy+of+a+Redis+mining+worm/23673/


Evolving Chrome's Security Indicator

https://blog.chromium.org/2018/05/evolving-chromes-security-indicators.html


DrayTek CSRF 0-Day Exploited to Change DNS Servers

https://www.draytek.co.uk/support/security-advisories/kb-advisory-csrf-and-dns-dhcp-web-attacks


Rowhammer Remote Exploit

https://www.cs.vu.nl/~herbertb/download/papers/throwhammer_atc18.pdf

https://arxiv.org/abs/1805.04956

       

Spectre NG Patches

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180012

https://newsroom.intel.com/editorials/addressing-new-research-for-side-channel-analysis/

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV180013

https://bugs.chromium.org/p/project-zero/issues/detail?id=1528


New "Moon" Variant

http://blog.netlab.360.com/gpon-exploit-in-the-wild-iv-themoon-botnet-join-in-with-a-0day/

https://isc.sans.edu/forums/diary/Something+Wicked+this+way+comes/23681/


Extracting Keys From Windows ssh-agent

https://blog.ropnop.com/extracting-ssh-private-keys-from-windows-10-ssh-agent/

   

******************************************************************************


The Editorial Board of SANS NewsBites

 

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.


Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.


Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.


Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.


Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.


Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.


Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.


Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.


Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).


Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.


Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.


Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.


Alan Paller is director of research at the SANS Institute.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create